funsec mailing list archives
Do AV products detect PHP backdoors? Should they?
From: "John LaCour" <john () johnlacour com>
Date: Fri, 7 Nov 2008 13:32:29 -0500
After finding hundreds of phishing web sites compromised and PHP shells and other backdoors installed, I got to wondering why AV products weren't being used to detect these things. If I had a webhosting business, I'd certainly be looking to find unwanted files installed on servers. What do you use to do that? AV products. After collecting 99 samples of PHP shells and backdoors 'in the wild', I scanned them with 29 vendor's AV scanners to see if they were being detected. The results were a little bit disheartening, but I think it's something that can be addressed fairly easily. Top 5 vendors: Ikarus ClamAV F-Secure AntiVir Kaspersky More here on test methodology, results, and caveats: http://www.phishlabs.com/blog/archives/35 -John, PhishLabs
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Do AV products detect PHP backdoors? Should they? John LaCour (Nov 07)
- Re: Do AV products detect PHP backdoors? Should they? Gadi Evron (Nov 07)
- Re: Do AV products detect PHP backdoors? Should they? Jim Murray (Nov 07)
- Re: Do AV products detect PHP backdoors? Should they? Gadi Evron (Nov 07)
- Re: Do AV products detect PHP backdoors? Should they? Jim Murray (Nov 07)
- <Possible follow-ups>
- Re: Do AV products detect PHP backdoors? Should they? Juha-Matti Laurio (Nov 07)
- Re: Do AV products detect PHP backdoors? Should they? Gadi Evron (Nov 07)